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From: 

Sent: 10 December 2019 16:28 

To: SARguidance 

Subject: Right Of Access - Draft Guidance - Power of Attorney Example 
Dear Sirs 


| am writing in relation to the guidance published on the ICO. 


The guidance is helpful. However, | am concerned that one of the examples given is misleading 
and potentially gives bad advice. This is the example with regards third party representatives 
making Subject Access Requests. More specifically, the attorneys of individuals. 


“A building society has an elderly customer who visits a particular branch to make weekly account 
withdrawals. Over the past few years, she has always been accompanied by her daughter who is 
also a customer of the branch. The daughter makes a SAR on behalf of her mother and explains 
that her mother does not feel up to making the request herself as she does not understand data 
protection. The building society is rightly cautious about giving customer information to a third 
party, as the information they hold is mostly financial. If the daughter had a general power of 
attorney, the society would be happy to comply. They ask the daughter whether she has such a 
power, but she does not. 


Whilst the branch staff know the daughter and have some knowledge of the relationship she has 
with her mother, it is still necessary to require more formal authority.” 


There are some issues in this that concern me. A General Power of Attorney (“GPA”) is a different 
document to a Lasting Power of Attorney for Property & Financial Affairs (“LP1F”) and an 
Enduring Power of Attorney (“EPA”). For a GPA to be valid and remain valid, the Donor (the 
person making the GPA) must have capacity. If they lose capacity, it is not valid. A LP1F remains 
valid even if the Donor subsequently loses capacity. An EPA is valid when the Donor has lost 
capacity, provided it has been registered. 


In the example given, the daughter explaining the mother does not feel up to making the request 
herself as she does not understand data protection may be a sign of lost capacity. If the daughter 
showed a valid GPA or certified copy, the building society should still be cautious and perhaps 
refuse service. They should at the very least try to contact the mother and check she has 
capacity. If the daughter showed a LP1F or a registered EPA, or even sealed copies of a 
Deputyship Order, this should be sufficient authority. My concern is that this example is 
misleading and could lead to some errors. Ultimately, it could result in a sibling of the daughter 
visiting a firm of solicitors claiming that their sister stole their mother’s money. 


You may wish to either reword the example or look at another example for third party 
representatives. 


My apologies for bringing this up, but | do feel the guidance needs to be completely accurate. 
Please do not hesitate to contact me if you require any further information. 


Yours sincerely 
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